Posts created by: Robert Falcone

In November 2018 the Chafer threat group targeted a Turkish government entity reusing infrastructure that they used in campaigns reported earlier in 2018. Unit 42 has observed Chafer activity since 2016, however, Chafer has been active since at least 2015. This new secondary payload is Python-based and compiled into executable form using the PyInstaller utility. We’ve also identified code overlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We have named this payload MechaFlounder for tracking purposes.

The DarkHydrus group has begun using a new version of the RogueRobin backdoor. This version is written in C# and in addition to using DNS Tunneling for command and control, can also use Google Drive.

Unit 42 has continued researching the Shamoon 3 attacks that impacted an oil and gas organization and identified another wiper Trojan

The Sofacy group continues to use variants of the Zebrocy payload in its attack campaigns.

On December 10, a new variant of the Disttrack malware was submitted to VirusTotal that shares a considerable amount of code with the Disttrack malware used in the Shamoon 2 attacks in 2016 and 2017.

The Sofacy group continued their global attack campaigns between October and November, primarily targeting NATO-aligned nation states and former USSR states and delivering Zebrocy or Cannon.

Unit 42’s continued look into Sofacy reveals global attacks and wheels out new ‘Cannon’ trojan.

Unit 42’s continued look into OilRig analyzes the group’s operational tempo, including testing, weaponization and attack delivery.

Unit 42’s continued look into the OilRig threat group uncovers the use of spear-phishing emails to deliver an updated version the BONDUPDATER Trojan.

The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. As observed in previous attack campaigns, the tools used are not an exact duplicate of the previous attack and instead is an iterative variant. In this instance a spear phishing email was used containing

Following up on previous research, Unit 42 investigates the DarkHydrus threat group’s use of phishery to harvest credentials in the middle east. Read the full report.

Slithering between nation state and cybercrime: Unit 42 examines the Gorgon Group’s unsophisticated yet effective attacks. Read the full report.

Unit 42 uncovers DarkHydrus, a new threat actor group targeting Middle East government.

The OilRig group continues to adapt their tactics and bolster their toolset with newly developed tools. Get the full report from Unit 42.

Unit 42’s continued look at the Sofacy Group’s activity reveals the persistent targeting of government, diplomatic and other strategic organizations across North America and Europe.